[BBLISA] Re: SELinux

[Daniel Hagerty]

 > Is it possible to permanently change /tmp and /var/tmp to chmod o-wx, and
 > then prevent anything from ever creating world writable and executable in
 > those folders?

    The tmp directories are specified as world writable, by
definition.  Change this and you can expect to see something break in
short order.  As for preventing certain permission bits from ever
being set if an object is under a certain path, never heard of such.
It would probably be an annoying bout of kernel hacking, depending on
how you cut it up.

 > Then, is it possible to carry those changes to individual user home
 > directories?

    I don't follow this part.  You mean the "never let them create
world writeable/executable objects in their home directory"?  You
could just change the directory 770; if you can't find the object, you
can't write/execute it.

 > I could do the chmod myself then modify the permissions of chmod to 700.

    Any idiot that can figure out how to call chmod(2) via an
alternate method can bypass this.  E.g. perl can call chmod (or in
fact, any system call, since it has a syscall() implementation).

 > But that doesn't answer how applications will behave if they need to
 > create directories... would umask help?

    Filesystem creation calls include the ability to specify the
permissions on the created object, where the specified permissions
have a umask subtracted from them.

 > It's just one of those things where I'm simply following directions.

    Sometimes your job as a sysadmin is to question your orders.
You're hired for your expertise in the subject area, and bloody well
ought to have input into how you do your job.

    You have enough sysadmins saying "where are you going with this
line of questioning?" that you have plenty of reason to pushback on
whatever is prompting this line of questioning.

    Are you really sure your problem isn't the sort where you beat a
misbehaving user over the head with the company's Acceptable Use
Policy?